SANS ISC InfoSec Forums

In the past few weeks, the rate of ransomware attacks has increased dramatically. Even in the popular news, we've seen several hospitals report major infections and both the United States and Canada issuing warnings. Here are some quick tips to prevent ransomware infections.

Prevent Execution of Files in %AppData% Directories

Generally, most large-scale ransomware runs rely on either exploit kits or spam engines. In both cases, for the malware to execute it usually resides in various temporary directories in Windows (%AppDada%). It is possible to disable the ability to execute binaries in these directories via Group Policy or Security Policy which means when a user double-clicks on Invoice.exe, the malware will not run. This is accomplished with Software Restriction Policies and an example is shown on this blog in how to enable this.

The advantage of doing this is that it also can prevent some other forms of malware from executing also.

Fully Patched Systems, Java, Shockwave, Flash (et al)

Exploit kits rely on vulnerabilities on the client machine to get malware to execute. Usually this involves vulnerabilities in Java, Shockwave, Flash, and Adobe Reader. With Windows Update, many systems are now automatically configured to get updates. It wasn't until recently, for instance, that Flash integrated an auto-updater. Making sure these are updates will prevent exploit kits from being successful. That being said, occasionally exploit kits do use 0-day exploits but it is a relatively rare occurrence.

Disable E-mails with Executable Attachments

Many ransomware emails use attachments with executables, simply disabling e-mails with executables will prevent users from receiving. Also look for emails with "double file extensions". Another common trick is attachments with a zip file that may include an executable or an html document (using other tricks to download an executable). Teach users to spot these abnormal e-mails so they do not execute them is key.

Maintaining Strong Backups

Lastly, the importance of strong backups is key. If a ransomware infection happens, there are only two choices for the organization: restore from backup or pay the ransom. If backups are available, it may be a hassle but the eye-popping ransom demands are no longer the only path to a full recovery.

Use of "Vaccines"

All ransomware families need some mechanism to ensure that a victim machine is not encrypted using multiple keys. A typical mechanism is to store the public key in registry (or other artifacts) so subsequent infections (or executions of the same malware binary) only use the original obtained key. There have been attempts to create vaccines that abuse this need of the attackers to otherwise inoculate victim machines. These may warrant investigation on a case-by-case basis to see if they provide value.

Chime in with comments if there are other techniques you've used to help stop the spread in your organizations.

We found it useful to detect common Fileextensions on Fileservers. It doesn't catch everything, but a lot of the common ones like .locky. We generate a warnings and know which user is responsibe on bigger shares right away. We are working on scripts to deny a user from a share as soon as a warning is generated and possibly disable the account. I don't think this will help for long, but it speeds up our response process for now. You would have to be careful about false positive as soon as you do an automatic response.

[UPDATE] The main protection mechanism provided by the Cryptowall Vaccine relied on exploiting a programming flaw in the Cryptowall Trojan itself. The Cryptowall operators have modified the way they check whether a system has been infected or not, which renders the Cryptowall Vaccine ineffective in some cases.

Because we cannot guarantee the proper functioning of the vaccine anymore, we decided to discontinue providing the tool. Stay tuned for further updates.